 |
OpenVPN 3 Core Library
|
|
OpenVPN 3 Core Library
|
Support deferred server-side state creation when client connects. More...
Go to the source code of this file.
Classes | |
| class | openvpn::PsidCookieAddrInfoBase |
| Interface to communicate the server's address semantics. More... | |
| class | openvpn::PsidCookieTransportBase |
| Interface to provide access to the server's transport capability. More... | |
| class | openvpn::PsidCookie |
| Interface to integrate this component into the server implementation. More... | |
Namespaces | |
| namespace | openvpn |
Support deferred server-side state creation when client connects.
Creating OpenVPN protocol tracking state upon receipt of an initial client HARD_RESET packet invites the bad actor to flood the server with connection requests maintaining anonymity by spoofing the client's source address. Not only does this invite resource exhaustion, but, because of reliability layer retries, it creates an amplification attack as the server retries its un-acknowledged HARD_RESET replies to the spoofed address.
This solution treats the server's 64-bit protocol session ID ("Psid or psid") as a cookie that allows the server to defer state creation. It is ported here to openvpn3 from original work in OpenVPN. Unlike the randomly created server psid generated in psid.hpp for the server's HARD_RESET reply, this approach derives the server psid via an HMAC of information from the incoming client OpenVPN HARD_RESET control message (i.e., the psid cookie). This allows the server to verify the client as it returns the server psid in it's second packet, only then creating protocol state.
Not only does this prevent the resource exhaustion, but it has the happy consequence of avoiding the amplification attack. Since no state is created on the first packet, there is no reliability layer; and, hence, no retries of the server's HARD_RESET reply.
Definition in file psid_cookie.hpp.
1.9.8